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1. Introductions and apologies 


1.1. Ailsa Beaton, the new Non-executive Director and 
member of the Committee was welcomed to the meeting. 
Heather Dove, the new Head of Finance at the ICO, was also 
welcomed. There were apologies from James Edmands at the 
NAO who was unable to attend. 


1.2. The Committee requested that the next meeting, 
scheduled for 9 December, be moved to Monday 8 December 
if possible. 


Action point 1: Secretariat to move the next meeting of 
the Committee if possible to the 8 December. 


1.3. The Committee also requested that the Committee pre- 
meetings start at 13:30 rather than 13:00 and that the 
Committee proper starts at 13:50 with the aim of finishing by 
15:50. 


Action point 2: Secretariat to re-schedule the meetings 
to start at 13:30 and 13:50. 


2. Declaration of interests 


2.1. Ailsa Beaton advised that she was a Non-executive 
Director of BACs Payment Schemes LTD. Banking was raised 
in the paper presented as part of agenda item 3 entitled 
“Threats and Opportunities to Information Rights Arising from 
Technology”. This was not considered to raise a conflict of 
interest. 


3. Action points from the Audit Committee meeting of the 
6 June 


3.1. The minutes had been agreed by correspondence and 
there were no further amendments identified. 


3:2. Un-cleared action points were considered in detail: 


3.2.1. Simon Entwisle advised that his action, to ensure that 
the audit trail for changes to the apportionment model is 
clear and readily accessible, had been actioned. 


3.2.2. The NAO had not as yet provided the ICO with 
information on whether or not other organisations were 
able to retain some of the financial penalties paid to them 
to help fund collection. 


Action point 3: Secretariat to ask the NAO for an 
update to circulate to members as soon as possible. 


4. Commissioner’s update 


4.1. The Information Commissioner provided an update on 
key issues affecting the ICO. Matters highlighted included: 


4.1.1. The successful launch of the Annual Report in July and 
the well received key message of the need for a new 
funding model for the ICO. 


4.1.2. A Leadership Group planning event was taking place 
the next day looking at what the ICO needed to do over 
three years starting in April 2015. 


4.1.3. Succession planning was an issue for the ICO with a 
change in Commissioner happening in June 2016 and 
various other known about changes in senior managers 
also happening over the next few years. 


4.1.4. The 10" anniversary of the coming into force of 
individual rights under the Freedom of Information Act 
was on 1 January 2015. An event was planned. 


4.1.5. The ICO was inputting into both Ministry of Justice 
(MOJ) planning for 2015/16 and their efficiency review. At 
the same time the ICO was subject to a triennial review 
by the MOJ and Cabinet Office which would also focus on 
ICO efficiency in meeting its duties. 


4.1.6. Treasury and MOJ agreement to the pay remit was still 
awaited. The ICO had been invited to attend the meeting 
with the Treasury to discuss the remit. 


4.1.7. Recruitment was about to begin for a new Non- 
Executive Director to replace Enid Rowlands who was 
standing down at the end of December. 


5. Risk Management 


Risk register 


5.1. The Committee noted that the risk register was still a 
work in progress and proposed that if it was not finalised by 
the time of the next Management Board, rather than 
presenting an unfinished register, the focus should be on 
bringing a final agreed version to the December Audit 
Committee. The risk register had to be used by management. 


5.2. The link between the risk register and the internal audit 
plan was recognised, emphasising the need to agree the risk 
register. The need to ensure that the draft internal audit plan 
was also agreed prior to the start of the next financial year 
was also highlighted. 


Information rights arising from technologies 


5.3. The paper entitled “Threats and Opportunities to 
Information Rights Arising from Technology” had been 


appended to the risk register to both demonstrate work on 
identifying such risks and opportunities and for discussion. 
The report would be updated periodically and when it was it 
would be brought again to the Committee for information. 


5.4. The Committee considered that the report was a very 
helpful document. Suggestions made for consideration in 
future iterations of the report included: 


5.4.1. Distinguishing between individuals, companies and 
service providers to help separate out the interests of the 
different parties involved, especially in respect of the 
cloud; 


5.4.2. Identifying clearly where there were actions for other 
parties (Such as government) as well as the ICO; and 


5.4.3. Identifying where individuals had to be responsible for 
their own actions when using technology. 


5.5. The report was not published and given its length this 
might not be the best way of publicising messages from it. 
But it was used internally as a reference and its author Simon 
Rice had blogged recently on technological issues and had 
attended an SME conference. 


6. Replacement of the finance IT system 


6.1. Louise Byers provided an update on plans to replace the 
current finance system. The system was old and now out of 
support. The ICO had identified its requirements, short listed 
available products and had now decided on a preferred 
solution. There were discussions needed about 
implementation costs but the hope was that the 
implementation project would be well on the way by 
December. The NAO would be involved and Grant Thornton 
had provided some useful support to the process already. 


6.2. The aim was to implement the new system by the end 
of the financial year. However the old system would be used 
to produce the annual accounts and the aim was to run both 
the old and the new systems in tandem for a while. 


6.3. Simon Entwisle confirmed that there was money in the 
budget for the new system this year. 


6.4. In terms of governance the project board reports to the 
IT Steering Group which itself reports to Executive Team. 


6.5. Audit Committee requested sight of a detailed 
implementation plan and an update report for the December 
and March meetings. 


Action point 4: Simon Entwisle to provide the 
Committee with implementation plans and update 
reports for the December and March Audit Committee 
meetings. 


6.6. It was confirmed that the new system would allow the 
ICO to move from cash to accruals management accounts. 
There was uncertainty over the requirements of the MOJ in 
terms of their reporting requirements. 


Action point 5: Simon Entwisle to confirm the reporting 
requirements of the MOJ at the next Committee 
meeting. 


6.7. The Committee also asked about how the necessary 
business change would be managed. Louise Byers advised 
that much work was being done with budget holders in 
preparation for the change. 


7. Reporting on fraud 


Fide Peter Bloomfield introduced a paper detailing the 
various policies the ICO had covering the reporting of fraud, 
whistleblowing and security incidents. The Committee 
confirmed that the policies covered areas they expected and 
that no changes were needed. In terms of reporting however 
it was agreed that a more formal approach was needed, 
albeit without being overly bureaucratic. 


72: Peter Bloomfield suggested a formal quarterly request 
to those noted in the reports as being people to report 
incidents to was a practical solution, with the Committee then 
being advised of incidents that quarter. The Committee 
confirmed that it did not require details, just numbers. 


Action point 6: Peter Bloomfield to set up a more 
formal procedure to allow quarterly reporting of fraud, 
whistleblowing and security incidents by the time of 
the next Committee meeting. 


8. Outstanding audit recommendations 


8.1. The register of outstanding audit recommendations 
(both internal and external) was presented for discussion. It 
was noted that several IT service management and contract 
management review actions had not been updated. Simon 
Entwisle reported that several of these actions had been 
cleared. 


10. 


8.2. The Committee asked that the report be updated and be 
re-circulated to Committee members. 


Action point 7: Secretariat to request updates where 
necessary, and to re-circulate an up to date report to 
the Committee and attendees for information. 


8.3. The Committee also asked for dates to be agreed for 
the external audit recommendations and for the actions to be 
more specific (eg SMART). 


. Internal audit 


9.1. Grant Thornton updated the Committee on progress in 
meeting the internal audit plan. They had met with Simon 
Entwisle after the senior management reorganisation to 
ensure that the changes in responsibilities were reflected in 
the work the auditors were doing. 


9.2. In respect of integrated assurance work they were 
looking at second lines of management assurance where 
committees and other groups checked what was being done. 


9.3. They would also be reviewing how corporate and 
business planning worked together. 

9.4. The plan was within budget. 

9.5. Simon Entwisle advised the Committee that Grant 


Thornton had provided helpful advice on the working of the 
IT Steering Group. 


Integrated assurance update 


10.1. Simon Entwisle and Louise Byers explained that the ICO 
was taking a slightly different approach to integrated 
assurance than possibly understood. They were working with 
information asset owners on information governance policies 
and procedures, asking them about how confident they were 
that policies and procedures were working. This work had 
already resulted in plans and activities aiming at addressing 
weaknesses. There will be another report on this to the 
December meeting. 


10.2. The ICO felt that this focused approach was useful, but 
was not needed in all areas of ICO work where other 
approaches, such as the use of steering groups, might work 
better. 


10.3. The Committee considered that there was possibly 
misunderstanding between parties as to what integrated 


assurance was and a need therefore for more discussion, 
especially as to what a good integrated assurance system 
would look like for the ICO. 


Action point 8: Simon Entwisle and Louise Byers to 
work with Grant Thornton on their integrated 
assurance review, the results of which will be 
presented to Audit Committee. 


11. Any other urgent business 


Tii: The Committee asked that a brief summary of the most 
recent finance report come to Audit Committee on a regular 
basis. 


Action point 9: Secretariat to add the finance report as 
a standing agenda item. 


11.2. The Committee requested that if at all possible they 
would like to receive papers electronically. 


Action point 10: Secretariat to investigate the current 
position on providing committee papers electronically. 


